Australia ranked fifth in worldwide data breaches so far in 2018

Australia has been ranked fifth globally in Risk Based Security’s Mid-Year 2018 Data Breach QuickView report, which showed there have been a staggering 2,308 publicly disclosed data breaches in the first half of 2018.

Key findings of the report

The US topped the report with more than 1,000 data breaches in the first half of the year, followed by the UK (62 breaches), Canada (48 breaches), India (45 breaches) and Australia (24 breaches). The remaining data breaches were spread across the world, hitting other Asia-Pacific countries such as Vietnam, the Philippines and China.

Australia also ranked fifth in the number of exposed records by country at a whopping 20,035,981 – an average of 834,833 exposed records per breach.

The report examined all the data breaches worldwide and found:

Hacking was the most common type of data breach (1261), followed by skimming (255), web (128) and phishing (102).

45% of breaches exposed email addresses, 41% passwords and 34% names.

The business sector accounted for 40% of data breaches, followed by medical (8%), government (8%) and education (4%).

Five breaches exposed 100 million or more records, which accounted for approximately 2 billion exposed records.

“2018 has been a curious year. After the wild ride of 2017, we became accustomed to seeing a lot of breaches, exposing extraordinary amounts of information. 2018 is remarkable in that the number of public disclosed breaches appears to be levelling off while the number of records exposed remains stubbornly high,” said Inga Goddijn, executive vice president for Risk Based Security.

Australian organisations must comply with the Privacy Act 1988, a federal law that regulates the use of personal information.

The Privacy Act was amended in February 2017 to include the NDB (Notifiable Data Breaches) scheme, applying to organisations that have personal information security obligations under the Act. This includes Australian Government agencies, business and not-for-profit organisations with an annual turnover of $3 million or more, among others.

Under the NDB scheme, organisations must inform individuals of incidents in which unauthorised access to, or loss or disclosure of, their personal information is likely to result in serious harm to them that cannot be prevented with remedial action.

The OAIC (Office of the Australian Information Commissioner) must also be informed.

Data breach reporting

Australian organisations that monitor the behaviour of, or offer goods and services to, EU residents’ personal data must also consider the requirements of the GDPR (General Data Protection Regulation) when responding to a data breach. Similar to the OAIC process, IT Governance also recommends six key steps organisations must take in response to a data breach:

Situational analysis: Tell the supervisory authority as much as you can about what happened, what went wrong and how it happened.